Complexity Breeds Vulnerability: Cisco and Citrix VPNs Linked to 6.8x Higher Ransomware Risk

Organizations relying on Cisco or Citrix VPN appliances face a staggering 6.8 times higher risk of ransomware infection compared to those without detected VPNs, according to cyber-insurer At-Bay’s 2025 InsurSec Report. The findings, drawn from over 100,000 policy years of claims data between January 2024 and March 2025, highlight a systemic vulnerability in traditional remote access infrastructure.

The High-Risk VPN Landscape

• Cisco/Citrix Dominance: Topped the risk chart for the second consecutive year
• Other Vendors: SonicWall (5.8x risk), Palo Alto GlobalProtect (5.5x), Fortinet (5.3x)
• On-Prem vs. Cloud: Any on-prem VPN correlated with 3.7x higher attack likelihood versus cloud alternatives

At-Bay CISO Adam Tyra clarified: "We're not suggesting these products are inherently insecure, but they are complex and require consistent maintenance. While many organizations can deploy them securely, far fewer can maintain them properly over time, leading to missed patches and outdated configurations."

Why VPNs Became Attack Magnets

1. Network Gateway: VPNs provide direct pathways into otherwise isolated corporate networks
2. Feature Bloat: Modern next-generation firewalls (NGFWs) combine VPN, firewall, routing, and proxy functions—creating exponentially larger attack surfaces
3. Operational Burden: Complexity overwhelms IT teams, resulting in delayed patching and misconfigurations

The data reveals alarming patterns: 80% of ransomware attacks leveraged remote access tools for initial entry, with 83% of those cases specifically involving VPN devices.

SonicWall’s Alarming Surge

While not in the initial risk-period data, SonicWall emerged as a critical concern later in 2025:
- 300% quarterly increase in Akira ransomware attacks targeting SonicWall devices
- $958,000 average ransom demand (104% jump from Q2)
- Linked to exploitation of critical CVEs like CVE-2024-40766 (CVSS 9.8) and cloud backup breaches

Tyra noted: "We have at least six different credible hypotheses to explain Akira's activities... Besides the high number of exploitable vulnerabilities, SonicWall itself recently reported a breach of their system storing backup copies of configuration data."

The Path Forward

At-Bay urges organizations to:
1. Migrate to cloud-based SASE solutions for reduced attack exposure
2. Prioritize rigorous maintenance (patching, configuration hardening, MFA) if retaining on-prem VPNs
3. Conduct continuous vendor assessments amid evolving threat landscapes

The report signals an inflection point: VPNs—originally simple security tools—have become liabilities through unchecked complexity. As Tyra concludes, this underscores "the importance of ongoing vendor evaluation and proactive security maintenance, regardless of which products an organization uses."

Source: At-Bay 2025 InsurSec Report, The Register (October 28, 2025)